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REMARKS 

Applicant lias amended the Title from: "CONNECTION BASED DENIAL OF 
SFRVk U)f 1 h< \n\ > fOWH'AMAH )!)t|i' ION OP ^CANNING 

\ ' i \Ck^ V i 

claims. No new matter has been added. 

The examiner rejected Claims 1-36 under 35 U.S.C. f 02(c), as being anticipated by 

Claim J 

Vppi \u\ urn lib knvahle over Malm s>k \!il i nuti, d < 1 t suggests 
U A mekioo o " v ; Av." In addition, Malan c v. > ■» < >, ^ < 

features of: "adding host-pair connection records at the end of a > 

a h b i ; \ h M ai i ) i ^ f et in 

pans added . , . over the update period; and if a host has made more than a first threshold .number 
"CI" ln'M p ih ; and ihe numbei of hosi pair- n sroalk m m f <es':i d ; a nbci h\ a in 4 
factor value "C2'\ then indicating to a console that the new host is a scanner. 

The examiner stated: 

As per claim 1, Maim et aJ. discloses detecting scanning aUaeks[i.e. Uo% 
attacks, 0«28, 005? i, adding host-pair connection records to a connection sahk- each 
time a boss accesses another host jf>0J44}; at the end of a shot - (spdate period", 
accessing the virasnsetkm table to determine new hmi pairs,; determining (lie imtnber 
aiwm host pairs added 10 ihe table over the update period; a«d if a host has made 
more than a first threshold number "CI" host pairs, and the number of hosi pairs in 
the profile is smaller than the threshold number by a fust factor value ■'C2 ,, ,the» 
indicating to a console that ihe new host is a seannerftrtm, 9d.17, 0067, 0084;. 

vr flol p s ^ ^ < ''x Mdpt-^j'lOJ M ! ,i " lU'KM 5 t «. 

below : 

|0(928] in accordance with principles of the present inventions system and 
t . i < I 1 king f i - i t 

iicear behvev-n local computer systems.- and/or befween remote computer systems, 
acsscork tasks,. 3n«/t)r routing, systems over a computer network. 



\< k < < 



jO«S7j Keferibng So HCi 3> a system 5 lor defecting, tracking and Mocking i>«S 
;n ••; ;> '> i ) i v > ! i>* ■ iwort stem if > i ( ts oh 

embcdimem of the preest invention. The system 5 can be located on a single server 
computer faef shown), which is is communication with components of the computer 
network system 10 or distributed over a plurality of set cer cootpoters (not shuwn), 
j , ith i nop !>( (its of the c.o iter aei 

19. 



Neither in these pas •> u t\ K; tMiIiusiIvk w u i v f *.ti <nqu t N 

i\ s . uv ^iv si an, i 

h I < k examiner re tes on paragraph [0084] from Maiar.u repr< duced below 



}©084} Referring again to HO. 5, daring this SYN-paekef Rood attack, She 
collector 20 cof ct !lov> itatislks related i< the SYN-pa hets and stores the flow 
Statistics in the buffer 26a, which is located on the collector 20. the buffer 2 ft* 
normalizes the incoming flow-statistics to form records. The records are places into 
a shared 'able. The siorm detector module 20b anahwrs the records in this shared 
table and defects anomalous traffic, in this example, the storm detector 20b detects 
the pattern of records as a SYN -packet flood attack, because the number of records 
exceeds a predetermined threshold defined on the storm detector 28 b, The Storm 
profiler 2iid also analyzes the records a«d based on this analysis, the storm profiler 
28d adaptlvely adjusts the predetermined threshold defined on the storm detector 
20b. After detecting the SYN-paekcl flood atiack, the storm detect!)!' 28h sends an 
atett message along with a signature (e.g. a fingerprint of the ssiert) to the local 
controller Wf. The local controller 201' adds She signature of the alert to a sable in 
memory, which represents the on-going local anomalies. When one of these local 
ongoing anom dh tches a • 1 mt > ! of in crcs! it g a second 
predetermined ■ hresholdj. such as a bmg duration •■: hi git severity, tin- fneaS 
eoalroller 20f notifies an anomaly-profiler module (not shown) to add a new 

i j t » < !<>>](»,! bet 

profiler module analyses the nonaaHxed flow statistics in bolter JOa thai are related 
so the anomaly and begin* So collect long-term statistics about the anomaly. 
5 i ii more, Ih« artoom profile > i c snapsh s* ihi> long-tern 
statistic* into the storm profiler database 2 he, which Is locate;; »» she collector 2b, 
At the same time, the local controller forwards the alert to the controller 24 as an 
alers message. The controller 24 can periodically request updated anomaly 
information, which in fids example relates to a SVN-psckel flood attack, from the 
local controller 2b. The local contfoltet 2b tan respond by providing the controller 
24 with she most recently collected long-term statistics related to the anomaly. 



< elvH he vii' 1 K 'H x p. xls lf< 1 Mi "- c > k ! 

paekct fltnv >f.,i vs. dl inu-nnaiitdi. ' Now iuc <{.h^ XK 'a - tL-sc ihc liau f.as mtbrnutiou mckides 

S J 1 1 ^ 1 VN ! - S it 

I h 1 t e! 1) ! 1! i ) t 1 v. \ t \| < 



i o\m quo i :v - - ->\\5 <r 'is d, v Mi i di-cie#e a eosmeethet ut>h . r .m a mxe'col 

1 x 1 hrc IcJ i ct n f n >t U \t v. t ii a )< m packet flow 5 

iccordi <. i k ! nor suggests "adds.: si-pa 

i ; vc\''' * i >j,gvM ii\!vh L'^o ucxnlx " at tin uul o . - t^u ..edate jvnoe, 

iccessing ion table to dcte n nenev, lost pai s de ermining numhet ofne >ost 

- ix a iv , ' rda xi < . m wd u Mi'. • io f i ^ 1 > s i 

any approac or usinj his d 1 f s r the connection table to determine if a host should be 
eke- -a tied a m. v Ilia: i\. ekuus <\bi*. d-o iudu les he eat >rcs cd ! t hoM ha> 
d number' C S host pairs, and the nambt s 
! . *v ^ * .- f ' k + or \alae C2 , dk i iu!n o ' u> a u" >o e h * 
the new host is a scanner/, is not suggested by any reading of Mai an/ 

Claim % 

Claim 2 recites that **. . . U CI" and "C2* are adjustable thresholds." While Makm discloses 
in [0084] that: "...the storm detector 20b detects the pattern of records as a SYN- packet flood 
attack, because the number of records exceeds a predetermined threshold defined on the storm 
J,, c t I in.il he recoK < <. 

u • > ps< s \ ,d < 1 v the predetermined threshold defined on the storm detector 
20b/' ii v> , ic>>ti.'Kveh\ mautre man I i ierk> \hc c iters 
C4 second predc ned thresla d) such, as a long duration or high severity the local 

e add new i 

< ; current ni> i.u < , > - 



S\-kt l> 1 l 1 U K\ I V , s ! " ! I 5f k O 

B n t 1 t I t) 1 lit 

jv t s ^ s ts n ^ t i : t ! iuJ <. i k i ^p, s N .5 

short sime 



\PP >V s k I i ^ ^ s „ \ "< _ i 

Serial N ? 5 

I w \ ^ 

hreshoi i c Kiapiivd} id ustec I mi dole 

predotennineu" t c-aa 1 bun adjustable threshold '* 

Moreover, neither of the thresholds disclosed by Maian are "a first threshold number 

' 1 U t t t hi t 1 vtpl'MsMl liL a f i \ s 

factor value *'C2 " 
Oajm3 

Claim 3 ;s distinct over Malan. The examiner argues that; "As per claim 3, Maian 
discloses wherein the connection table is a current time-slice connection table and host pair 

to <. c< k t < eunc i s k she. eet oca ^ od> e o ,\ , s h v \ 

\\n n eoes r>\ « o » * connection pairs, and in particular host-pair records and does 

not disclose that the connection table is a current time-slice connection table. 

Oaim 4 

Claim 4, the examiner contends that claim 4 is describes at [0029. 0032-0033, 00841. 
Claim 4 calls tor . , . aggregating records from the current time-slice table into a long update 
\ vi \ scans „t the end of a ion pdate pes o , u> 

s ^ l i mst pairs ove the long upd < 

At 1 us.-ei MaU n does not address scanner attacks, pc so and irnei tht sk nh 
~ < . s n • lvX 

the an eni time slice tabic t In o> \ h \ t- > enod tabh i ..king 
ping scans by indicating hosts which produced more than "C3" new host pairs over the long 
upd eperi i c sc >sed i Malan whether at 003 0032-0033 84 r elsewhere 

GJIimS 

Ciamt? itl et units c on, 4 Claim 5 add lures < f <. he long apt 

tenod iuM sithc lone spi c >nncetiO! abletodeten mte ev\ 1 --t > -x -xh i 1\ pro ess 

! ' l i u n n i) )\ mine 1 * tic 1) ^ r>is u b t > 

"Id 
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update period, and if... more than . . . *OT host pairs, and the number of host pairs is smaller 
than . . :X:S\ then indicating the new host as a scanner." Malan neither describes nor suggests 
1 euhi tahm rehiU wnn >c-t se 

Uang A 

fhe examiner contends As per claim 6, Malan. discloses man nin widrew 
Resolution Pi roc* 1 i \R.P) packet statistics in the connection tabic and tor sparse subnets 

sparse sub-networks [0081-0082]," 

\pe' « t o»Kn ! ♦ ro saJa %hsdosuie w fouru u M . >u o\ \hi . 
directed to discussion ol the - N \ ^ v Hood attack. Neither in these passages nor elsewhere is 
d >>m - < o* > Resolution Protocol (ARP tatisl n >arse 

ubnetst k n \> >f gc £ «u I d<P requests that do not receive responses to detect 

wan, i w uk s cjIkt 1 twkd passages v < H 

connect on protocol. 

Claim 7 

x o in i ml th it "As for claim "\ N 1 1 eh wi< s v- he: s the ut f 
n < n ^ > , s j ' Claim 7 recites hat 'thest 

sc; i , Malan u i descj )cs no uggest mi ng at genera and in 

^ i . * < t v P u' ax men* ion ed -> > ! < on <> >>,o i 

et <. pointed >ove is different than a sc m track 

ciaisal 

Oil W M OlJk K 1 i 1 idU 5 f (> 1 i i d lt\ U 

Malan neither describes nor suggests detecting scanning attacks, in general, and in particular 
dose*, w \ o at „us 

x Ian n >. o. 1 1 t 5 u > * ret) v nu wsho n > to. > j > s im.o i ! 
jost par co * set ons de\n li ling if the number of ports used in an historical profile is 



\pphcaj - i. a, ' c i i W t ^ )• ,w N 
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smaller by ... than a current number of ports being .scanned by a host, and if,., greater ... 
k dii hat the < € i unburn * e host is greaU than i lo\ »ound th is 
anomaly. . .7" 

Malars neither describes nor suggests these features. While Malar; discloses collection of 
tmvjc. » ^< '.O! \ I < v. i< uhvL 1 s J, onns> diem hei st posts u^.d 1 u« 
historical profile is smaller by ... than a current number of ports being scanned by a host 
Fhe ex a : > tten Is that 

.v; j.>cf claim S, Mal«n diseases tletcctin^ peri scanaia>> attacks, the tncihtio 
stsvhiiit'S retrieving from a connection table logged v a; ties ui' protocols and ports 
stsirj? ibr host pair connections in the tabic [0042-0043. O04S}; determining if the 
nsstber of ports used in she historical profile is considerably smaller by a factor 
"CI" than a current number of ports being scanned by a host and fhe current 
tiB5Bb«r is greater fhaa a lower-bound threshold "C2", to retard fhc anomaly; and 
reporting a port seas? to a console|0067-0{>681. 

As discussed above, Malao does not describe or suggest detecting port scans. Paragraphs 
K)b4~-004.\ «K) t Malan do no t deal wi th retrieving logged values of protocol and ports used 
i\ h<st o ep.ua tpl tie a disc 5 < I si 

While Mai a; also discusses processing data statistics to generate at least one record and 
toH 1 ti r is v. ti ^Ci.'.ate i)nl k 11 t H ] i ' ^ i (Uu n 

s botes rc xted < the t least one record exceed the predetenmned threshold representing the 
t > ' i t ua Ma! m again trercis !. uxci 1 1 es 

r\ s id pt il i cd b 1 o * pir l ivCU 

m ip 1 ^ 1 v c - ..uviiio Ok f < <J is v 

Mahsa >,i eiJ\ mi v f ukn.i n; Ok . t < , o so the 

1 s 1 > » v> > s i V c n iaiuo "t I Imp a JK V 

„ SO led ! !1 tsJtA'tl I'i 1 0 '11 . f i ' U> K \. ') t 

the anoi t -s s_ s s t r at [0067-0068J or els i s in \ 

n ^ v a si t j s v, j o 1 i 1 5 w 1 v 1 1 ( 

\ the historical e t s ? s 1 L u 1 imber of p s< 1 v.c 

by a host .... 

( kirns 3 add distinct features and are also allowable over Malan 



Claims 14, 24, and 28 and dependent claims 15-19; 25-27; and 29-32 include analogous 
c \ < an 21 ru- 2" t.kK-.re thu ahu\s ah c (<n t < ,>.o ui- re- 
claims 20,33 < t mi 11-25 md 54 >6 j ^ t ts ^ t jus as claim 

( i i ■> 1 1 1 1 S l K IS 

It's * J s v .i^u nl ir hi sra h's. k.n 

addressed;. 

hi view . ; mo ;^oy ^ K cmo. an respectfully submits ihai me appiicu-ion is in 
onro! . . id such ictioti s re quested at the c\ ir mei ■. < 1 convenient 

1 v i v. , ^ - i pa.c iUh\ fu Lj-'u, us Mr s% S\ 

whLh the? depend patentable. 

( it < urns, if a seen cane led hh prejad > 5 ^ 

which the applicant as (a) addressed certain comments ol let 
docs not mean that the applicant concedes other comments of the examiner, (b) made arguments 
for the patentability of seine claims does not mean that there are noi < so is ret 

patentability of those claims and other claims, or (c) amended or canceled a claim does not mean 
that the applicant concedes any of the examiner's positions with respect to that claim or other 
claims. 

No ^ vae\ ed e\c ''lease appU au> othei dim ge 5 oi cred ^ T " de x>s t 
account 06- i 050. 

Respectfully submitted. 



Denis G. Maioney 
Reg. No. 29.670 
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